The U.S. Federal Trade Commission (FTC) made one of its strongest statements to date on the issue of consumer privacy in the fast-emerging market for “smart” electronics: settling a complaint with the maker of SecurView, a line of home surveillance cameras that, it turned out, were just as easily used to spy into the homes of SecurView customers.
In a statement on Wednesday, the FTC said that it settled a complaint against TRENDnet, the maker of the SecurView home security cameras. The FTC had charged the Torrance, California company with misrepresenting the security of its products. TRENDnet sold “faulty software that left (the cameras) open to online viewing” by anyone who knew the device’s IP address.
Under the terms of its settlement with the Commission, TRENDnet must stop misrepresenting the “security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit,” as well as “the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit.”
The complaint stems from a February, 2012 case in which independent security analysts with the web site Console Cowboys published details on how a firmware flaw allowed authentication for Internet-connected SecurView cameras to be bypassed, giving any Internet user (with the know-how) the ability to view the surveillance camera’s live feed.
TRENDnet eventually patched the firmware and subsequently discontinued some of the affected products – but not before federal regulators took notice. The company is now required to establish a comprehensive information security program to address security risks in its products, which the FTC defined as anything that “could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices.”
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
The company also is required to obtain third-party assessments of its security programs every two years for the next 20 years.
The FTC went further on Wednesday, with blog posts that highlighted the settlement and other supporting information warning consumers and businesses about the security and privacy risks of IP-enabled cameras and advising them to use good security hygiene: keeping firmware up to date, making sure communications are encrypted using secure HTTP and securing devices with strong passwords.